Marriott Breach: Unencrypted Passport Numbers, Payment Cards Leaked

Marriott Breach: Unencrypted Passport Numbers, Payment Cards Leaked

Marriott's mega-breach is somehow better, and worse.

Marriott International says its recently discovered mega-breach wasn't quite as bad as it first advertised. Marriott originally estimated that the breach exposed information of 500 million customers, but now believe only 383 million people were affected. 

"We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database," Marriott said in its revised data breach notification.

Marriott also says that its breach investigation now counts 25.6 million passport numbers being exposed in the breach, of which 5.25 million were unencrypted. 

"There is no evidence that the unauthorized third party accessed the master encryption keys needed to decrypt the encrypted passport numbers," Marriott said, but that doesn't mean that the hackers couldn't later brute-force their way in.

Also exposed in the breach was approximately 8.6 million encrypted payment cards that were being stored by Marriott. If attackers were able to decrypt the card data, they could have been using the stolen card data since 2014 to commit fraud.

By the time the breach was discovered, Marriott said the majority of the payment cards were expired. Only 354,000 were still active as of September 2018. As with the passport data, Marriott has no reason to believe the third party accessed the encryption key needed to access the payment cards.

Back in December of 2018, the Marriott announced a breach of its Starwood guest reservation database. The information accessed included some combination of a name, mailing address, phone number, email, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation data and communication preferences.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.